Skip to content

Commit 2b3d2c9

Browse files
mikedanesemikedanese
committed
TokenRequest feature documentation
1 parent 28eb1cf commit 2b3d2c9

File tree

1 file changed

+51
-5
lines changed

1 file changed

+51
-5
lines changed

content/en/docs/tasks/configure-pod-container/configure-service-account.md

Lines changed: 51 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -250,12 +250,58 @@ spec:
250250
TODO: Test and explain how to use additional non-K8s secrets with an existing service account.
251251
-->
252252
253-
## Service Account Volume Projection
253+
## Service Account Token Volume Projection
254254
255-
Kubernetes 1.11 and higher supports a new way to project a service account token into a Pod.
256-
You can specify a token request with audiences, expirationSeconds. The service account token
257-
becomes invalid when the Pod is deleted. A Projected Volume named
258-
[ServiceAccountToken](/docs/concepts/storage/volumes/#projected) requests and stores the token.
255+
{{< feature-state for_k8s_version="v1.12" state="beta" >}}
256+
257+
{{< note >}}
258+
**Note:** This ServiceAccountTokenVolumeProjection is __beta__ in 1.12 and
259+
enabled by passing all of the following flags to the API server:
260+
261+
* `--service-account-issuer`
262+
* `--service-account-signing-key-file`
263+
* `--service-account-api-audiences`
264+
265+
{{< /note >}}
266+
267+
The kubelet can also project a service account token into a Pod. You can
268+
specify desired properties of the token, such as the audience and the validity
269+
duration. These properties are not configurable on the default service account
270+
token. The service account token will also become invalid against the API when
271+
the Pod or the ServiceAccount is deleted.
272+
273+
This behavior is configured on a PodSpec using a ProjectedVolume type called
274+
[ServiceAccountToken](/docs/concepts/storage/volumes/#projected). To provide a
275+
pod with a token with an audience of "vault" and a validity duration of two
276+
hours, you would configure the following in your PodSpec:
277+
278+
```yaml
279+
kind: Pod
280+
apiVersion: v1
281+
spec:
282+
containers:
283+
- image: nginx
284+
name: nginx
285+
volumeMounts:
286+
- mountPath: /var/run/secrets/tokens
287+
name: vault-token
288+
volumes:
289+
- name: vault-token
290+
projected:
291+
sources:
292+
- serviceAccountToken:
293+
path: vault-token
294+
expirationSeconds: 7200
295+
audience: vault
296+
```
297+
298+
The kubelet will request and store the token on behalf of the pod, make the
299+
token avaialble to the pod at a configurable file path, and refresh the token as
300+
it approaches expiration. Kubelet proactively rotates the token if it is older
301+
than 80% of its total TTL, or if the token is older than 24 hours.
302+
303+
The application is responsible for reloading the token when it rotates. Periodic
304+
reloading (e.g. once every 5 minutes) is sufficient for most usecases.
259305

260306
{{% /capture %}}
261307

0 commit comments

Comments
 (0)